From fae7e233f34a4420498ac8ba0f2ed74454fa4891 Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 3 Sep 2025 12:38:44 +0000 Subject: [PATCH] test: write some tests for testing proxy ensurance --- tst/YourlsProxyTest.php | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tst/YourlsProxyTest.php b/tst/YourlsProxyTest.php index 9ceeea35..ecffda6e 100644 --- a/tst/YourlsProxyTest.php +++ b/tst/YourlsProxyTest.php @@ -47,6 +47,42 @@ class YourlsProxyTest extends TestCase $this->assertEquals($yourls->getUrl(), 'https://example.com/1'); } + /** + * @dataProvider providerInvalidUrl + */ + public function testImvalidUrl($uri) + { + $yourls = new YourlsProxy($this->_conf, $uri); + $this->assertTrue($yourls->isError()); + $this->assertEquals($yourls->getError(), 'Invalid URL given.'); + } + + public function providerInvalidUrl() { + return array( + array(''), + array(' '), + array('foo'), + array('https://'), + array('ftp://example.com/?n=np'), + array('https://example.com'), // missing path and query parameter, + array('https://example.com/'), // missing query parameter + array('https://example.com?paste=something'), // missing path parameter + ); + } + + /** + * This tests for a trick using username of an URI, see: + * {@see https://cloud.google.com/blog/topics/threat-intelligence/url-obfuscation-schema-abuse/?hl=en} + * + * @return void + */ + public function testForeignUrlUsingUsernameTrick() + { + $yourls = new YourlsProxy($this->_conf, 'https://example.com/@foreign.malicious.example?foo#bar'); + $this->assertTrue($yourls->isError()); + $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.'); + } + public function testForeignUrl() { $yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?foo#bar');